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Abstract 

The purpose of this report is to provide a summary of the proposed rule issued November 3, 
1999 to protect the privacy of individually identifiable health information. The Health 
Insurance Portability and Accountability Act of 1996 required issuance of a final privacy 
standard by February 2 1 , 2000. This report will be updated as warranted. 
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Summary of the Proposed Rule for the Privacy of 
Individually Identifiable Health Information 



Summary 

On November 3, 1999, the Secretary of Health and Human Services (HHS) 
issued a proposed rule on patient privacy to implement the security and privacy 
Administrative Simplification provisions of the Health Insurance Portability and 
Accountability Act of 1996 (HIPAA). The HIPAA directed the Secretary, in the 
absence of legislation governing standards with respect to the privacy of individually 
identifiable health information, to promulgate final regulations containing such 
standards by February 21, 2000. Although Congress considered several proposals 
to protect health information, Congress did not enact legislation governing standards 
with respect to the privacy of individually identifiable health information by the 
August 1 999 deadline imposed by HIPAA. The comment period on the proposed rule 
closed on February 17, 2000, with HHS receiving more than 40,000 comments on the 
proposed rule. Final regulations are anticipated this Spring. 
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Summary of the Proposed Rule for the Privacy of 
Individually Identifiable Health Information 



Background 

On November 3, 1999, the Secretary of Health and Human Services (HHS) 
issued a proposed rule 1 on patient privacy to implement the security and privacy 
Administrative Simplification provisions of the Health Insurance Portability and 
Accountability Act of 1996 (HIPAA). 2 The comment period on the proposed rule 
closed on February 17, 2000. 3 Final regulations are anticipated this spring. The 
privacy rule is one of several proposed rules published by HHS to implement the 
Administrative Simplification provisions of the HIPAA. 4 

Sections 261 through 264 of HIPAA are known as the Administrative 
Simplification provisions. 5 Section 262 directs HHS to issue standards to facilitate 
the electronic exchange of information with respect to financial and administrative 
transactions carried out by health plans, health care clearinghouses, and health care 
providers who transmit electronically in connection with such transactions. 6 Section 
262 also directs HHS to develop standards to protect the security, including the 
confidentiality and integrity, of such information. Section 264 requires the Secretary 
of HHS to develop and submit to the Congress recommendations for the privacy 
rights that an individual who is a subject of individually identifiable health information 
should have, the procedures that should be established for the exercise of such rights, 
and the uses and disclosures of such information that should be authorized. 7 Section 
264 also directs the Secretary, in the absence of legislation governing standards with 
respect to the privacy of individually identifiable health information, to promulgate 
final regulations containing such standards by February 21, 2000. 



1 Standards for Privacy of Individually Identifiable Health Information, 64 Fed. Reg. 59917 - 

60065 (to be codified at 45 C.F.R. pt. 160 - 164 (Nov. 3, 1999) 

<http://aspe.hhs.gov/admnsimp/nprm/pvclist.htm>; 

See also Hearing on the Confidentiality of Patient Records, Testimony Before the 
Subcommittee on Health of the House Committee on Ways and Means, 106 th Congress (2000) 
<http://www.house.gov/ways_means/health/ 106cong/2- 17-00/2- 17hamb.htm >. 

2 P.L. 104-191; 42 U.S.C. § 1320d et seq. 

3 64 Fed. Reg. 69981 (December 15, 1999). 

4 Administrative Simplification Rules, < http://aspe.hhs.gov/admnsimp/nprm/index.htm >. 

5 See, CRS Report 98-964, The Health Insurance Portability and Accountability 
Act(HIPAA): Summary of the Administrative Simplification Provisions. (Nov. 18, 1998). 

6 42 U.S.C. §1320d-2. 

7 42 U.S.C. §1320d-2 note. 
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Although Congress considered several proposals to protect health information, 
Congress did not enact legislation governing standards with respect to the privacy of 
individually identifiable health information. 8 The Secretary made preliminary 
recommendations to Congress on September 11, 1997 on ways to protect individually 
identifiable information. 9 In the absence of federal legislation, on November 3, 1999 
the Secretary issued a proposed rule to implement the Administrative Simplification 
privacy standard of HIP AA. 10 In the rule, HHS proposes to establish a new 45 CFR 
subchapter c, parts 160 through 164. Part 160 consists of general administrative 
requirements (general provisions and preemption of state law), parts 161 - 163 
[reserved] will consist of the various Administrative Simplification regulations relating 
to transactions and identifiers, and part 164 consists of the regulations implementing 
the security and privacy requirements of HIPAA. 

In the proposed rule, HHS recognized that efforts to provide legal protection 
against the inappropriate use of individually identifiable health information have been 
made primarily by the States, and that state protections are by and large incomplete, 
and at times, inconsistent. HHS concluded that a clear and consistent set of privacy 
standards would improve the effectiveness and efficiency of the health care system. 
The proposal of the Secretary of Health and Human Services is intended to strike a 
balance between an individual’s right to privacy of their medical records and the 
public policy needs to have access to these medical records to promote public safety. 
Specifically the proposed regulations are intended to “make the use and exchange of 
protected health information relatively easy for health care purposes, and more 
difficult for purposes other than health care.” 1 1 Thus, the information is available to 
those with legitimate needs after satisfying prerequisites; while not being available as 
a general rule. 

These proposed regulations apply to a specified set of covered entities: health 
care providers, health plans, and to health care providers who transmit the information 
in electronic form. 12 The materials that “covered entities” 13 transmit electronically 



8 See generally, Harold Relyea, Stephen Redhead, Gina Stevens, CRS Issue Brief IB98002, 
Medical Records Confidentiality. (Updated regularly). 

9 Confidentiality of Individually-Identifiable Health Information: Recommendations of the 
Secretary of Health and Human Services, pursuant to section 264 of the Health Insurance 
Portability and Accountability Act of 1996. 

< Http://aspe.os.dhhs.gov/admnsimp/pvcrec.htm >. 

10 See generally, Standards for Privacy of Individually Identifiable Health Information, 64 
Fed. Reg. 59917(1999). 

11 See id. at 59924. 

12 See id. See generally Hearing on the Confidentiality of Patient Records supra note 1 
(Statement of N. Stephen Ober, M.D., President and Chief Executive Officer, Synergy Health 
Care, explains that the transfer of health information via electronic means has grown rapidly. 
“...Today 62% of all healthcare claims are precessed electronically, and for hospital and 
pharmacy claims the percentage is over 80%. In 1998 some 2.7 billion out of a total 4.4 
billion claims were processed electronically....”) See id. See generally Hearing on the 
Confidentiality of Patient Records supra note 1 (Statement of N. Stephen Ober, M.D., 

(continued...) 
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would include: the information itself (not the particular records in which the 
information is contained), and the information as it is transformed by the receiver be 
it paper or electronic file. 14 

The release of individually identifiable health care information would be allowed 
under certain approved circumstances. Treatment, payment, and health care 
operations are permissible uses for which disclosure, without individual authorization, 
is approved. 15 Additionally, public policy approves the disclosure of this information 
for “national priority activities, such as reducing health care fraud, improving quality 
of treatment through research, protecting the public health, and responding to 
emergency situations.” 16 

Health care fraud is an example which clearly illustrates the need for access to 
individually identifiable health care information. 17 In order to uncover health care 
fraud, an individual’s care would need to be assessed for unnecessary treatments or 
bills for services which were never rendered. 18 Some studies estimate that Medicare 
and Medicaid fraud cost the state and federal government tens of billions of dollars 
per year. 19 Thus, access to individual health care information becomes vital in 
stopping and prosecuting health care fraud and abuse. 20 



12 (...continued) 

President and Chief Executive Officer, Synergy Health Care, explains that the transfer of 
health information via electronic means has grown rapidly. “...Today 62% of all healthcare 
claims are precessed electronically, and for hospital and pharmacy claims the percentage is 
over 80%. In 1998 some 2.7 billion out of a total 4.4 billion claims were processed 
electronically....”) 

13 See id. at 59924 passim. 

14 Id. 

15 See id. at 59925. 

16 See id., See also Hearing on the Confidentiality of Patient Records supra note l(In order 
for there to be disclosures for purposes other than treatment, payment, and operations 
“specific conditions would have to be met in order for the use or disclosure of protected health 
information [would be] permitted.”) 

17 Kathleen S. Swendiman, Jennifer O’Sullivan, CRS Report 97-895, Health Care Fraud: A 
Brief Summary of Law and Federal Anti-Fraud Activities, p. 1 (Updated Sept. 24, 1997) 
(“Health care fraud has been described as an intentional attempt to wrongfully collect money 
relating to medical services....”) 

18 Health Law, Cases, Materials, and Problems 574 (Barry R. Furrow et al. Eds., 1997). See 
also supra note 10, at 1 . (“Fraud and abuse commonly involve improper billing practices by 
health care providers and consumers....”) 

19 See id. 

20 Katheryn Ehler-Lejcher, The Expansion of Corporate Compliance: Guidance for Health 
Care Entities, 25 Wm. Mitchell L. Rev. 1339 (1999) (citing that the DOJ has recouped 
millions of dollars via litigation over health care fraud and abuse. Similarly the Office of the 
Inspector General for DHHS has expanded its efforts in curbing incidents of health care fraud 
and abuse.) Id. 
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However, privacy in medical records poses a very legitimate ethical issue. 
Because we are discussing individually identifiable health care information, it means 
that this information is linked to the individual patient. 21 Therefore, confidentiality 
poses a challenge to ensure that proper policy and legal constraints are maintained to 
guarantee that unauthorized access is not obtained. 22 The best case scenario would 
be to obtain permission directly from the individual whose records for health 
information is sought. 23 However, instances do exist in which individual approval is 
not obtainable. 24 What follows is a discussion of the privacy rule, a description of the 
policies and procedures that would govern the circumstances under which protected 
health information may be used and released with and without patient authorization, 
and the requirements with respect to a patient’s right of access to her or his protected 
medical information. 

Applicability 

HIPAA limits the scope of the Secretary’s regulations to the following covered 
entities: 

• Health plans 25 



21 Patricia I. Carter, Health Information Privacy: Can Congress Protect Confidential 
Medical Information In The “Information Age,” 25 Wm. Mitchell L. Rev. 223, 234 (1999). 

22 Id. at 235. But see Hearing on the Confidentiality of Patient Records supra note 1 (William 
G. Plested, III, M.D., testifying on behalf of the American Medical Association (AMA) that 
the “proposed regulation... does not adequately protect patient confidentiality and privacy and 
that substantially and unacceptably increases administrative burdens for physicians.” 

23 Id. at 234. 

24 See generally supra note 1 at 59925. 

25 Health plan means an individual or group plan that provides, or pays the cost of, medical 
care. Such term includes, when applied to government funded or assisted programs, the 
components of the government agency administering the program. “Health plan” includes the 
following, singly or in combination: 

( 1) A group health plan, defined as an employee welfare benefit plan (as currently defined 
in section 3(1) of the Employee Retirement Income and Security Act of 1974, 29 U.S.C. 
1002(1)), including insured and self-insured plans, to the extent that the plan provides medical 
care (as defined in section 2791(a)(2) of the Public Health Service Act, 42 U.S.C. 300gg- 
91(a)(2)), including items and services paid for as medical care, to employees or their 
dependents directly or through insurance or otherwise, that: 

(1) Has 50 or more participants; or 

(ii) Is administered by an entity other than the employer that established 
and maintains the plan. 

(2) A health insurance issuer, defined as an insurance company, insurance service, or 
insurance organization that is licensed to engage in the business of insurance in a State and 
is subject to State or other law that regulates insurance. 

(3) A health maintenance organization, defined as a federally qualified health maintenance 
organization, an organization recognized as a health maintenance organization under State 
law, or a similar organization regulated for solvency under State law in the same manner and 
to the same extent as such a health maintenance organization. 



(continued...) 
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• Health care clearinghouses , 26 and 

• Health care providers 27 who engage in electronic administrative 
simplification transactions . 28 



25 (...continued) 

(4) Part A or Part B of the Medicare program under title XVIII of the Act. 

(5) The Medicaid program under title XIX of the Act. 

(6) A Medicare supplemental policy (as defined in section 1882(g)(1) of the Act, 42 U.S.C. 
1395ss). 

(7) A long-term care policy, including a nursing home fixed-indemnity policy. 

(8) An employee welfare benefit plan or any other arrangement that is established or 
maintained for the puipose of offering or providing health benefits to the employees of two 
or more employers. 

(9) The health care program for active military personnel under title 10 of the United States 
Code. 

(10) The veterans health care program under 38 U.S.C. chapter 17. 

(11) The Civilian Health and Medical Program of the Uniformed Services (CHAMPUS), as 
defined in 10 U.S.C. 1072(4). 

( 12) The Indian Health Service program under the Indian Health Care Improvement Act (25 
U.S.C. 1601, etseq.). 

(13) The Federal Employees Health Benefits Program under 5 U.S.C. chapter 89. 

(14) An approved State child health plan for child health assistance that meets the 
requirements of section 2103 of the Act. 

( 15) A Medicare Plus Choice organization as defined in 42 CFR 422.2, with a contract under 
42 CFR part 422, subpart K. 

(16) Any other individual or group health plan, or combination thereof, that provides or pays 
for the cost of medical care. 

26 “Health care clearinghouse means a public or private entity that processes or facilitates the 
processing of nonstandard data elements of health information into standard data elements. 
The entity receives health care transactions from health care providers or other entities, 
translates the data from a given format into one acceptable to the intended payer or payers, 
and forwards the processed transaction to appropriate payers and clearinghouses. Billing 
services, repricing companies, community health management information systems, 
community health information systems, and "value-added” networks and switches are 
considered to be health care clearinghouses for purposes of this part, if they perform the 
functions of health care clearinghouses as described in the preceding sentences.” 64 Fed. Reg. 
at 60049. 

27 “Health care provider means a provider of services as defined in section 1 86 1 (u) of the Act, 
a provider of medical or health services as defined in section 1 86 1 (s) of the Act, and any other 
person or organization who furnishes, bills, or is paid for health care services or supplies in 
the normal course of business.” 64 Fed. Reg. at 60050. 

28 “Transaction means the exchange of information between two parties to carry out financial 
or administrative activities related to health care. It includes the following: (1) Health claims 
or equivalent encounter information; 

(2) Health care payment and remittance advice; 

(3) Coordination of benefits; 

(4) Health claims status; 

(5) Enrollment and disenrollment in a health plan; 



(continued...) 
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In the regulations, HHS expressed concern that many of the holders of health 
information fall outside the scope of the proposed rule because of its limited 
regulatory authority, and therefore cannot be covered by the regulation pursuant to 
HIPAA. 29 Examples of such health information holders include: 

• Many of the persons who obtain identifiable health information from 
the covered entities ( e.g contractors, researchers, public health 
officials, workers compensation carriers, researchers, life insurance 
issuers, employers and marketing firms). 30 

• Many of the persons that covered entities hire to perform 
administrative, accounting, legal, and similar services for them, and 
who obtain health information in order to perform their duties. 

• Any provider who maintains a solely paper information system 

In background comments to the proposed rule HHS noted that it was prohibited from 
proposing optimal policies to protect individually identifiable information because it 
lacked authority to apply the proposed rule directly to any entity that is not a covered 
entity. In response to this gap, HHS requires covered entities to apply many of the 
provisions of the proposed rule to entities with whom they contract for administrative 
and other services. 

The proposed rule applies only to a subset of individually identifiable health 
information - that which is maintained or transmitted by covered entities and which 
is or has been transmitted in electronic form. Once the information has been 
maintained or transmitted electronically by a covered entity, the protections of the rule 



28 (...continued) 

(6) Eligibility for a health plan; 

(7) Health plan premium payments; 

(8) Referral certification and authorization; 

(9) First report of injury; 

(10) Health claims attachments; and 

(11) Other transactions as the Secretary may prescribe by regulation.” 64 Fed. Reg. at 60050. 

29 See also Hearing on the Confidentiality of Patient Records, Testimony Before the 
Subcommittee on Health of the House Committee on Ways and Means, 106 th Congress 
(2000)< http://www.house.gov/ways_means/health/ 106cong/2- 17-00/2- 1 7hamb.htm > 
(Statement by the Honorable Margaret A. Hamburg, M.D. that the scope of the proposed 
regulations include “health care providers who transmit health information electronically, 
health plans, and health care clearinghouses. ..Protection would start when information 
becomes electronic, and would stay with the information as long as the information is in the 
hands of a covered entity.. ..The paper progeny of electronic information is covered....”) But 
see id. (Testimony of Janlori Goldman, Director, Health Privacy Project, Institute for Health 
Care Research and Policy, Georgetown University, strongly urges Congress to pass a more 
comprehensive regulation which would apply to “ all those who generate, maintain, or receive 
protected health information.”) (emphasis in the original). 

30 



64 FR 59923. 
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follow the information in whatever form, including paper records, in which it exists 
(while it is held by a covered entity). 

HHS expressed concern about the potential confusion that could result from its 
proposal with some health information protected while other similar information 
(paper records not maintained or transmitted electronically) would not be. Based on 
its belief that application of the proposed rule only to information in an electronic 
form will not result in adequate protection for consumers, HHS requested comment 
on whether it should extend the scope of the rule to all individually identifiable 
information, including purely paper records, maintained by covered entities. 
Cognizant of the issue that extending its regulatory coverage might be inconsistent 
with the intent of the provisions in HIPAA, HHS nonetheless stated “... we believe 
that we do have the authority to do so and that there are sound rationale for providing 
a consistent level of protection to all individually identifiable health information held 
by covered entities.” 31 

General Rules 

• Covered entities are prohibited from using and disclosing protected 
health information (PHI) except as provided (§ 164.506) 

• Covered entities can use or disclose PHI with individual 
authorization (§ 164.508) 

• Covered entities can use or disclose PHI without individual 
authorization (§ 164.510) 

• for treatment, payment, and health care operations; 

• for specified public and public policy-related purposes 
(including public health, research, health oversight, law 
enforcement, and use by coroners; 

• when required by other law (such as mandatory reporting 
under state law or pursuant to search warrant)Covered entities 
are required to disclose PHI 

• to permit individuals to inspect and copy PHI about themselves 
(§ 164.514) 

• for enforcement of this rule (§ 164.522) 

With certain exceptions, permitted uses and disclosures of protected health 
information would be restricted to the min im um amount of information necessary to 
accomplish the purpose for which the information is used or disclosed, taking into 
consideration practical and technical limitations and costs. (§ 164.506(a)). 

The proposed rule would also require, with narrow exceptions, covered entities 
to ensure that their business partners with whom they share protected information 
understand through contractual requirements that they are subject to standards 
regarding use and disclosure of PHI, and agree to abide by such rules. (§ 164.506(e)). 



31 



Id. at 59924. 
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The contract between the covered entity and its business partner must limit the 
business partner’s uses and disclosures of PHI to those permitted by the contract, and 
impose certain security, inspection and reporting requirements on the business 
partner. 

The privacy standards are to be implemented by all covered entities, from the 
smallest provider to the largest, multi-state health plan. Implementation of the 
standards is to be flexible and scalable, to account for the nature of each covered 
entities business, as well as its size and resources. 



Uses and Disclosures with Individual Authorization 

Uses and Disclosures When the Individual Initiates the Disclosure (§ 
164.508(a)(1)) 

Under the proposed rule, authorizations must meet the following requirements: 

• The authorization must include a description of the information to be 
used or disclosed.The authorization does not have to state the 
purpose for the disclosure. 

• The authorization must identify sufficiently the covered entity or 
entities that would be authorized to use or disclose protected health 
information.The authorization must identify the person or persons 
that would be authorized to use or receive the protected health 
information. 

• The authorization must state a specific expiration date. 

• The authorization must include a signature or other authentication 
(e.g., electronic signature) and the date of the signature.The 
authorization must include a statement that the individual 
understands that she or he make revoke the authorization. 

• The authorization must clearly state that when an individual 
authorizes disclosure of health information to other than a covered 
entity, the information would no longer be protected once it leaves 
the covered entity. 

Uses and Disclosures When the Covered Entity Initiates the 
Disclosure (§ 164.508(a)(2)) 

In addition to the requirements above (when the individual initiates the 
disclosure), when a covered entity initiates the authorization by asking the individual 
to authorize the disclosure, the following requirements must be met: 

• The authorization must include a statement that identifies the 
purposes for which the authorization is sought as well as the 
proposed uses and disclosures of that information. Uses or 
disclosures inconsistent with that statement would constitute a 
violation of the regulation.The authorization must be narrowly 
tailored to authorize use or disclosure of only the protected health 
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information necessary to the accomplish the purpose specified in the 
authorization. Broad or blanket authorizations are prohibited. 

• Covered entities are required to advise individuals that they may 
inspect or copy the information to be used or disclosed, that they 
may refuse to sign the authorization, and that treatment or payment 
could not be conditioned on the patient’s authorization. The covered 
entity must provide the individual with a copy of the signed 
authorization form.If the covered entity will be receiving financial or 
in- ki nd compensation in exchange for using or disclosing the health 
information the authorization must include a statement that the 
covered entity will gain financially from the disclosure. 

The regulations include a model form that covered entities and third parties that 
wish to have information disclosed to them could use to request authorization from 
individuals for use or disclosure. 32 The regulations also propose that all 
authorizations be written in plain language, and that covered entities be prohibited, 
except in the case of certain clinical trials, from conditioning treatment or payment for 
health care on obtaining an authorization for purposes other than treatment, payment 
or health care operations. A covered entity would not be permitted to obtain an 
authorization for use or disclosure of information for treatment, payment or health 
care operations unless required by applicable law. Where such authorization is 
required by law, it could not be combined with an authorization in the same document 
for any purpose other than payment, treatment or health care operations (e.g., 
research). Covered entities would be required to keep a record of all disclosures for 
purposes other than payment, treatment or health care operations including those 
made pursuant to authorization. When an individual requests such an accounting or 
a copy of a signed authorization form, the covered entity is required to provide it. An 
individual is permitted to revoke an authorization at any time except to the extent that 
action has been taken in reliance on the authorization. If the authorization has any of 
the following defects, the effect would be that there would be no authorization: the 
date has expired, it lacks a required element, it has not been filled out completely, it 
is known to have been revoked or the information on the form is known by the person 
holding the records to be materially false. 



Uses and Disclosures Permitted Without Individual 
Authorization (§ 164.510) 

Throughout the entirety of section E of the proposed federal regulation on 
privacy of individually identifiable health information, the proposal emphasizes the 
proper functioning of the health care system as a whole. 33 The categories in this 
section are intended to “permit and promote key national health care priorities and to 



32 Id. At 60065. 

33 See Standards for Privacy of Individually Identifiable Health Information, 64 Fed. Reg. 212 
§164.510 (1999) (to be codified at 45 C.F.R. pt. 160 - 164) (proposed Nov. 3, 1999). 
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ensure that the health care system operates smoothly.” 34 The purpose of this section 
of the proposed regulation is to facilitate the use or disclosure without the individual’s 
authorization, however the rule is intended to grant permission without creating a 
mandate. 35 

At first the drafters considered allowing the use and disclosure of information 
only where an affirmative legal requirement mandated its use or disclosure. 36 In the 
final draft, the proposal permits the covered entity to use or disclose the information 
regardless of a legal mandate, because the activities described in the proposal benefits 
society as a whole, 37 expressing the sentiment that the good of the whole outweighs 
that of the individual. 38 

Yet, in categories such as psychiatric and substance abuse records the release of 
the information would have to conform to the more stringent guidelines of the 
applicable law, even if the law refuses to allow its use. 39 Moreover, if other law 
requires that the information be reported, the covered entity must comply. 40 
Summarily, this proposed regulation would not give a covered entity authority to 
“restrict or refuse to make a use or disclosure mandated by other law.” 41 

Uses and Disclosures for Public Health Activities (§ 164.510(b) 

The first category of permitted uses or disclosures deals with Public Health 
Activities 42 Where authorized by law, the covered entity may disclose health 
information to authorized public health officials without an individual’s 
authorization. 43 Also, where authorized by law, the covered entity may disclose 
individually identifiable health information to non-govemmental entities who are 
responsible for conducting public health activities. 44 In conjunction with other 
authorizing law, the proposal would allow disclosure to those “persons who are at 
risk of contracting or spreading a disease.” 45 Similarly, when a public hospital or local 
health department (a government agency) is also the covered entity, an individual’s 



34 Id. 

35 See id. 

36 See id. 

37 See id. 

38 See id. 

39 See id. 

40 See id. 

41 See id. 

42 See supra note 1, at §164.5 10(b). 

43 See id. 

44 See id. 

45 Id. 
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health information may be disclosed to the extent allowable elsewhere in this section 
of the proposed regulations. 46 

As elsewhere in the proposed regulations, the public health activities requirement 
strives to balance the individual’s right to privacy with the overall well-being of the 
community as a whole. 47 The need for protected health information is created by the 
priority to protect the public health. 48 Thus, creating the need for the individually 
identifiable health information to ensure that public health officials are able to fu lf i ll 
their obligations to “promoting health and quality of life by preventing and controlling 
disease, injury, and disability.” 49 

These public health functions are to be given a broad reading to disclose a wide 
range of public health activities. 50 Examples of these public health activities include: 
“reporting of vital events such as birth and death to vital statistics agencies.... [and] 
activities undertaken by the FDA to evaluate and monitor the safety of food, drugs, 
medical devices, and other products.” 51 As exemplified by the FDA, the public health 
authorities given access would not be limited to traditional entities such as the public 
health department. 52 

Additionally, non-governmental agencies would also have authority to request 
individually identifiable health information. 53 One example may be a “device 
manufacturer that collects information under explicit legal authority, or at the 
direction of the Food and Drug Administration.” 54 Yet, another example could be a 
teaching hospital or university that has contracted with public health authorities. 55 

Finally, a third sub-category of individuals who may receive individually 
identifiable health information are those who “could have been exposed to a 
communicable disease or may otherwise be at risk of contracting or spreading a 
disease or condition and is authorized by law to be notified....” 56 



46 See id. 

47 See supra note 1, at § 164.5 10(b)(a). 

48 See id. 

49 Id. 

50 See Standards for Privacy of Individually Identifiable Health Information, 64 Fed. Reg. 212 
§164.510, at §164.510 (b)(b) (1999). 

51 Id. 

52 Mat §164.510 (b)(c)(i). 

53 See id. at §164.510 (b)(c)(ii). 

54 Id. 

55 See id. 

56 Id. at §164.510 (b)(c)(iii). 
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Uses and Disclosures for Health Oversight Activities (§ 164.510(c)) 

Next, the proposed regulations would permit agencies that are public oversight 
agencies access to protected health information for use in activities which are 
authorized by law. 57 This rule defines a public oversight agency “as a public agency 
authorized by law to conduct oversight activities relating to the health care system, 
a government program for which health information is relevant to determining 
beneficiary eligibility or a government regulatory program for which health 
information is necessary for determining compliance with program standards.” 58 

Uses and Disclosures for Judicial and Administrative Proceedings 
(§ 164.510(d)) 

The proposed regulation, § 164.510(d) advances that covered entities may 
disclose protected health information pursuant to an order by a court or administrative 
tribunal. 59 An actual court order may not be needed if the protected health information 
being requested relates to either the party in the proceeding for which it is requested, 
or if the disclosure is otherwise available through the proposed regulation. 60 Another 
instance, which may preclude the necessity of a court order, is one in which a party 
to the judicial or administrative proceeding is both a government entity and also the 
covered entity with the information. 61 Summarily, the proposal would “permit covered 
entities to disclose protected health information in a judicial or administrative 
proceeding if the request for such protected health information is made through or 
pursuant to a court order or an order by an administrative law judge specifically 
authorizing the disclosure of protected health information.” 62 

This section of the proposed regulation is intended to provide access to 
individual health information in situations that involve judicial and administrative 
proceedings. 63 It anticipates that “litigants, government agencies, and others request 
information for judicial or administrative proceedings, including judicial subpoenas, 



51 See id. at §164.510 (c)(a). 

58 Id. at §164.510 (c)(b). (Examples of such agencies include: first category-State Medicaid 
fraud control units; second Category-Department of Education; third category-Occupational 
Health and Safety Administration.) Id. 

59 Standards for Privacy of Individually Identifiable Health Information see supra note 1 , at 
59958. See also Charles Doyle, Congressional Research Service, Law Enforcement Access 
to Third Party Records: Legal Attributes of Procedural Alternatives 7 (General Distribution 
Memo) (1999). (“Administrative subpoenas may be either investigative (roughly analogous 
to a grand jury subpoena) or adjudicatory (roughly analogous to a trial subpoena) depending 
upon the nature of the administrative context in which they arise.”) 

60 Standards for Privacy of Individually Identifiable Health Information, see id. But see 
Hearing on the Confidentiality of Patient Records supra note 1 2. (The AMA recommends that 
an order be required for access to records for all judicial and administrative hearings.) 

61 Standards for Privacy of Individually Identifiable Health Information, see id. 

62 Id. at 59959. 

63 See id. 
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subpoenas duces tecum, notices of deposition, interrogatories, and administrative 
proceedings....” 64 

The covered entity would be required to confirm the validity of such order prior 
to releasing the information. 65 This confirmation would simply entail determining 
“that the request is pursuant to a court order. . .or if the individual who is the subject 
of the protected health information is a party to the proceeding and his or her medical 
condition or history is at issue.” 66 

Yet, the covered entity would not be required in this instance to conduct an 
independent investigation to determine the legality of the court order or request. 67 
Simply reviewing the request and finding it compliant with the terms of the proposed 
regulation would be sufficient. 68 For example, if the request is accompanied by a 
court order, the covered entity may rely on the statement within the order, which 
requests the individual’s health information. 69 However, the covered entity may not 
release more information than is requested by the order. 70 

When a request is not accompanied by a court order, the covered entity must 
determine the following: “whether the request relates to the protected health 
information of a litigant whose health is at issue, a written statement from the 
requester certifying that the protected health information being requested is about a 
litigant to the proceeding and that the health condition of such litigant is at issue at 
such proceeding.” 71 Also, under these proposed regulations, the party to the 
proceeding who is seeking the release of the information would generally need to seek 
judicial review prior to submitting the request. 72 The exception to this requirement 
would be one in which the information is relevant to the proceeding, which allows for 
the party in opposition to object through his or her counsel. 73 

Finally, the proposed regulations also note that more stringent rules exist which 
protect individual medical information, and acknowledge that these other rules would 
remain in place. 74 For example, when the topic of the medical records is disclosing 
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substance abuse or psychiatric records, the current federal and state laws would 
continue to govern these cases. 75 

Disclosure to Coroners and Medical Examiners (§ 164.510(e)) 

Because coroners and medical examiners have a legal duty to “identify deceased 
persons and determine cause of death,” they maintain a legitimate need for readily 
available individually identifiable health information. 76 This portion of the proposed 
regulation is particularly important for expediency reasons, since there is a limited 
amount of time in which an autopsy may be done after death. 77 However, covered 
entities would have an obligation to “verify the identity of the coroner or medical 
examiner making the request.. .and the legal authority supporting the request.” 78 

Disclosure for Law Enforcement (§ 164.510(f)) 

Law enforcement officials have enhanced access to individual medical records 
when conducting criminal investigations. 76 The proposed regulations would not curb 
law enforcement access to these medical records, only require them in some instances 
to gain a subpoena or warrant in order to gain access. 80 

Section 164.510(f) permits covered entities to release individually identifiable 
health information without the individual’ s authorization when the law enforcement 
official is acting in his or her official capacity with certain qualifications. 81 The law 
enforcement official may be conducting lawful intelligence activities. 82 Other incidents 
may include, when the law enforcement official needs the protected health information 
and it is related to the “victim of a crime, abuse or other harm, if the information is 
needed to determine both whether a violation of law by a person other than the victim 
has occurred and whether an immediate law enforcement activity might be 



75 See id. (referencing the governing of substance abuse records under 42 U.S.C. 290dd-2 
which implement 42 CFR part 2; and the discovery of psychiatric records under Jcijfee v. 
Redmond, 116 S.Ct. 1923 (1996)). 

76 Mat §164.5 10(e). 

77 See id. 

78 Id. 

79 See supra note 1 1 at 282. 

80 See supra note 1 at 59960 - 59961. But see Hearing on the Confidentiality of Patient 
Records supra note 12. (The AMA believes that law enforcement should be allowed access 
to an individual’s medical information only via a court order. In his testimony for the AMA, 
Dr. Plested explained that “[pjhysicians and their patients have repeatedly experienced the 
intrusion of law enforcement into patients’ personal medical information when no need for 
identifiable information is established and no protections are provided. The unfortunate result 
is less-rather than greater-confidence in the law enforcement and judicial systems of this 
country.”) 

81 Standards for Privacy of Individually Identifiable Health Information, see id. at 59960. 

82 See id. 
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necessary.” 83 A health care provider or health plan may act in good faith to release 
information to a law enforcement agent when a crime is suspected of being 
committed. 84 “[I]f the plan or provider believed in good faith that the disclosed 
protected health information would constitute evidence of criminal conduct that 
constitutes health care fraud occurred on the premises of the covered entity, or was 
witnessed by an employee of the covered entity.” 85 

Many of these requirements that precede the release of protected health 
information are consistent with the rules governing criminal procedure. Most notably 
they are consistent with the Fourth Amendment to the Constitution. The Fourth 
Amendment to the Constitution provides, “the right of the people to be secure in their 
persons, houses, papers, and effects, against unreasonable searches and seizures, shall 
not be violated, and no Warrants shall issue, but upon probable cause, supported by 
Oath or affirmation, and particularly describing the place to be searched, and the 
persons or things to be seized.” 86 In order for a person to qualify for the Fourth 
Amendment protections they must satisfy two requirements: the person must 
demonstrate actual, subjective, expectation of privacy; and this expectation of privacy 
must be one that society recognizes as being legitimate. 87 Society generally 
recognizes that a person has a right to privacy in regard to their medical records. 88 
Thus, necessitating a warrant in order to divulge the contents of these protected 
records or probable cause to proceed without a warrant. 

A law enforcement official must have probable cause 89 prior to a search taking 
place. In order to have probable cause for a search it must be more likely than not that 
the specific items to be searched for are connected with criminal activity; and that 
these items will be found in the place to be searched. 90 Furthermore, when there are 
exigent circumstances the warrant clause may not apply. 91 The most common exigent 
circumstances are as follows: preventing the imminent destruction of evidence, 
preventing harm to persons, and being in “hot pursuit” of a suspect. 92 



83 Id. 

84 See id. 

85 Id. 

86 U.S. Const. Amend. IV. 

87 See, Katz v. United States, 389 U.S. 347 (1967). 

88 See supra note 11 at 23 1 . 

89 See Doyle, supra note 15, at 1 n.2. (The meaning of probable cause for law enforcement 
is that it is a “fair probability that contraband or evidence of a crime will be found in a 
particular place,” Illinois v. Gates, 462 U.S. 213, 238 (1983)). 

90 See American Criminal Procedure Cases and Commentary 67 - 94 (Stephen A. Saltzburg 
& Daniel J. Capra eds., 5 th ed. 1996). 

91 See id. at 278 - 299. 

92 See id. 
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This brief Fourth Amendment information will assist in further reviewing the 
proposed regulations in regard to law enforcement. Many of the prerequisites for law 
enforcement officials are reflective of the standards in criminal procedure. 

Many times the law enforcement official will obtain necessary evidence by first 
obtaining a “judicially executed warrant, an administrative subpoena, or a grand jury 
subpoena.” 93 Thus, this step of the legal process is consistent with the Fourth 
Amendment requirement. 94 Yet, the proposed regulations also allow for other 
circumstances, such as time constraints to necessitate the release of information 
without first obtaining a warrant. 95 The example which is given is when “health 
information may be needed when a law enforcement official is attempting to 
apprehend an armed suspect who is rapidly fleeing.” 96 This example also parallels 
when the Warrant Clause of the Fourth Amendment would not apply in exigent 
circumstances. 97 The exigent circumstance here is “hot pursuit,” the officer is chasing 
a fleeing suspect. 

When the release of protected health information is in the public interest the 
proposed regulations favor making them available to law enforcement officials. 98 
Specifically when the information is being sought as part of an investigation or as 
evidence at trial. 99 

The proposed regulation suggests that the covered entity review an 
administrative request by applying a three-part test. 100 The distinction put forth is that 
the administrative actions lack the protections that exist with an independent judicial 
officer or the secrecy of a grand jury. 101 Therefore, a “covered entity could disclose 
protected health information pursuant to an administrative request, [after determining 
that] (i) the records sought are relevant and material to a legitimate law enforcement 
inquiry; (ii) the request is as specific and narrowly drawn as reasonably practicable; 
and (iii) de-identified information could not reasonably be used to meet the purpose 
of the request.” 102 



93 Standards for Privacy of Individually Identifiable Health Information, supra note 1 , at 
59960. 

94 See supra note 39. 

95 See supra note 46. 

96 Id. 

97 See supra note 43. 

98 Standards for Privacy of Individually Identifiable Health Information, see supra note 1 , at 
59960. 

99 See id. 

100 Standards for Privacy of Individually Identifiable Health Information, see supra note 1 , at 
59961. 

101 See id. 

102 Id. 
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Once more, the Federal law regarding substance abuse would remain in effect. 103 
This regulation would not pre-empt the protections given psychiatric and substance 
abuse records. 104 

The regulations seek to suspend enforcement of the regulation should the 
covered entity “disclose protected health information to law enforcement officials in 
a good faith belief that the disclosure was permitted under [the] title.” 105 In keeping 
with the overall intent of the proposed regulation, the balance between the greater 
public good and the privacy of the individual is sought. 106 

Uses and Disclosures for Governmental Health Data Systems (§ 
164.510(g)) 

As part of the government’s efforts to “improve public policies and program 
management, improve health care and reduce costs, and improve information available 
for the consumer,” protected health care information may be made available to 
government agencies who collect and analyze data. 107 The government uses the 
health care data to analyze and improve all aspects of the health care system. 108 Not 
all states explicitly provide authority to collect this data, therefore, specific legal 
authority need not be a prerequisite for permitting access to this information. 109 In 
fact, many agencies rely on a broad authority for legal access to such information. 
Thus, this access would continue under the proposed regulations. 110 

Disclosure of Directory Information (§ 164.510(h)) 

This section of the proposed regulations focuses narrowly on inpatient 
facilities. 1 1 1 The proposed regulations apply to the patient directories which are kept 
to provide general information on the patient such as “allowing confirmation of a 
person’s presence in a facility, providing the room number for visits and deliveries, 



103 Standards for Privacy of Individually Identifiable Health Information, see supra note 1 , at 
59963. 

104 See id. 

105 Standards for Privacy of Individually Identifiable Health Information, supra note 1 , at 
59964. 

106 See id. 

107 See Standards for Privacy of Individually Identifiable Health Information, 64 Fed. Reg. 
212 §164.510(g) (1999). 

108 Id. 

109 See id. 

110 See id. 

111 See Standards for Privacy of Individually Identifiable Health Information, 64 Fed. Reg. 
212 § 164.510(h) (1999). 
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and sometime providing general information on the patient’s condition.” 112 As these 
services cannot be provided without revealing an individual’s health information, the 
proposed regulations require that the covered entity first seek the approval of the 
patient. 113 Should the patient be incapacitated then the proposed regulations indicate 
that a legal guardian or representative for the patient be asked to make the decision. 1 14 
If a patient is incapacitated without a guardian, or admitted to the facility in an 
unconscious state, the covered entity is authorized to make the determination. 
However, should the patient’s condition improve or a legal representative present 
themselves, they should be consulted as to their wishes at the earliest possible time. 115 

Disclosure for Banking and Payment Processes (§ 164.510(i)) 

Means of payment may often times identify the condition for which treatment 
was received. 116 However, the proposed regulations would not seek to impede this 
process due to its negative impact on the health care system." 7 For the purposes of 
collecting, billing, or authorizing payment of healthcare, minimal information would 
be allowed to be released under the proposed regulations. 118 It would not be 
appropriate to include diagnostic or treatment information, however information that 
would be permissible includes: “(l)name and address of account holder; (2) the name 
and address of the payer or provider; (3) the amount of the charge for health service; 
(4)the date on which the health services were rendered; (5) the expiration date for the 
payment mechanism, if applicable... (6) the individual’s signature.” 119 

While the proposed regulations limit the information which may be provided to 
a financial institution, it is recognized that financial institutions may offer services 
beyond banking. 120 Under these circumstances, the regulations leave room for a 
banking institution to provide tracking services, or business partnerships. 121 In these 
instances, the regulations would expand to approve further exchanges of health 
information. 122 



112 Id. at §164.5 10(h)(a). 

See id. at § 164.5 10(h)(b). 

114 See id. 

115 See id., at § 164.5 10(h )(b)(i), at § 164.5 10(h)(b)(ii). 
n6 See id. at §164.5 10(i). 

117 See id. 

118 See id. 

119 Id. 

120 See generally supra note 39. 

121 See id. at § 164.5 10(i)(b). 

122 See id. 
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Uses and Disclosure for Research (§ 164.510(j)) 

The proposed regulations in §164.510(j) concern the use and disclosure of 
individually identifiable health information for research purposes. 123 The health 
information may be disclosed for research, regardless of the funding source as long 
as written requirements are fulfilled. In order to allow use or disclosure the covered 
entity must obtain in writing: waiver of authorization, date of approval, categories of 
criteria, and required signature. 124 

More specifically, the proposed regulations intend for the covered entities to 
enter into a written contract with the researcher, before they may access individually 
identifiable health information without the specific authorization of the individual. 125 
The waiver of authorization must be approved by either an Institutional Review B oard 
(IRB), or a privacy board. 126 The requirements of the IRB are codified at 45 CFR 
46. 107. 127 Otherwise, the review board must meet three suggested criteria: 

(A) Has members with varying backgrounds and appropriate professional 
competency as necessary to review the research protocol; (B) Includes at 
least one member who is not affiliated with the entity conducting the 
research or related to a person who is affiliated with such entity; and (C) 

Does not have any member participating in a review of any project in which 
the member has a conflict of interest. 128 

Should a review board not meet this criteria, the covered entity would then not be 
permitted to disclose the information. However, if the review board meets the criteria, 
then the date of approval must accompany the approval of the waiver. 129 

The review board must determine that the authorization satisfies the following: 

• The use or disclosure of protected health information involves 
no more than minimal risk to the subjects; 

• The waiver will not adversely affect the rights and welfare of 
the subjects; 

• The research could not practicably be conducted without the 
waiver; 

• Whenever appropriate, the subjects will be provided with 
additional pertinent information after participation; 



123 See Standards for Privacy of Individually Identifiable Health Information, 64 Fed. Reg. 
212§ 164.5 10(j) (1999) (to be codified at 45 C.F.R. pt. 160-164) (proposed Nov. 3, 1999). 

124 See id. 

125 See id. 

126 See id at § 164.5 10(j)( 1). 

127 See id at § 1 64.5 10(j)( l)(i). 

128 Mat §164.5 10(j)(l)(ii). 

129 Id at § 164.5 10(j)(2). 
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• The research could not practicably be conducted without 
access to and use of the protected health information; 

• The research is of sufficient importance so as to outweigh the 
intrusion of the privacy of the individual whose information is 
subject to the disclosure; 

• There is an adequate plan to protect the identifiers from 
improper use and disclosure; 

• There is an adequate plan to destroy the identifiers at the 
earliest opportunity consistent with conduct of the research, 
unless there is a health or research justification for retaining the 
identifiers. 130 

Finally, the chair of the board, either the IRB or the privacy board, must sign the 
waiver in order for the waiver to be official. 131 

Use and disclosure in emergency circumstances (§ 164.510(k)) 

This section is proposed to complement the sections for disclosure under law 
enforcement and public health. 132 It would apply in circumstances which may not be 
fully covered under these other sections. Circumstances which may require the use or 
disclosure of this information are emergency first responders which includes law 
enforcement personnel, and other emergency response personnel. 1 ” 

The proposed regulation specifically requires that a covered entity comply with 
“applicable law and standards of ethical conduct and based on a reasonable belief that 
the use or disclosure is necessary to prevent or lessen a serious or imminent threat to 
health or safety of an individual or the public....” 134 

A covered entity would be permitted to disclose the health information based 
upon a request from an official with apparent authority. 13 ^ The disclosure by the 
covered entity may be made upon a reasonable belief that the disclosure is one of 
necessity. 136 

Disclosure to Next-of-Kin (§ 164.510(1)) 

The proposed regulation would require health care providers to obtain a verbal 
agreement from the individual, when that individual has the capacity to make his or 
her own health decisions, before disclosing protected health information to next-of- 



130 See id. at §6 14.5 10(j)(3)(i-iv). 

131 See id. at §614.5 10(j)(4). 

132 See id. at §614.510(k). 

133 See id. at §614.5 10(k)(l). 

134 Id. 

135 See id. at §6 14.5 10(k)(2). 

136 See id. 
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kin, other family members, or to others with whom the individual has a close personal 
relationship. Where it is impractical or not feasible to obtain verbal agreement, 
providers could disclose information that is directly relevant to the person’s 
involvement in the individual’ s care, consistent with good professional health practices 
and ethics. 137 

Uses and Disclosures for Specialized Classes (§ 164.510(m)) 

The use and disclosure of individually identifiable health information by a 
covered entity without the individual’s authorization may also be necessary and 
permissible in unique situations such as federal programs. The disclosures under this 
section range from military purposes to Department of State. 138 

When a health plan or health care provider is requesting information from an 
appropriate military command authority, it may provide the information on military 
personnel. 139 The Federal Register requires that this proper military authority has 
complied with the following: 

(i) Appropriate military command authorities; 

(ii) The circumstances for which use or disclosure without 
individual authorization would be required; and 

(iii) Activities for which such use or disclosure would occur in 
order to assure proper execution of the military mission. 140 

The Department of Veterans Affairs may also utilize protected health 
information. 141 They may use it to “determine eligibility for entitlement to” benefits 
provided by the Veterans Administration. 142 Other federal entities which may utilize 
otherwise protected health information include: the Intelligence Community (see 
National Security Act, 50 U.S.C. 401(a)), the Department of State (specifically 
mentioned is the Foreign Service). 143 

Uses and Disclosures Otherwise Required by Law (§ 164.510(n)) 

The proposed regulation allows covered entities to use or disclose protected 
health information if such use or disclosure is not addressed elsewhere in § 164.510 
(uses and disclosures for which individual authorization is not required), is required 



137 


See 


id. §164.510(1). 
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id at §614.510(m)(l-4). 
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by other law, and the disclosure meets all the relevant requirements of the law. 144 An 
example of another law requiring disclosure could be State workers’ compensation 
laws. This section would permit health care providers to report abuse of any person 
as required by State law (child abuse or neglect, elder abuse or neglect). HIPAA 
specifically required that this regulation not interfere with State requirements for 
reporting abuse. 145 In addition, the regulation was designed not to interfere with State 
requirements that health care providers report gunshot wounds and certain other 
conditions related to violence. 

Individual Rights 

Four basic individual rights would be created: the right to a notice of information 
practices; the right to obtain access to protected health information about them; the 
right to obtain access to an accounting of how their protected health information has 
been disclosed; and the right to request amendment and correction of protected health 
information. The rights would apply with respect to protected health information held 
by health care providers and health plans. Clearinghouses would not be subject to all 
of these requirements because as business partners of covered plans and providers, 
clearinghouses would not usually initiate or maintain direct relationships with 
individuals. 

Written Notice of Information Practices (§ 164.512) 

HHS proposes that individuals have a right to an adequate notice of the 
information practices of covered plans and providers. The notice would be intended 
to inform individuals about what is done with their protected health information and 
about any rights they may have with respect to that information. Federal agencies 
must adhere to a similar notice requirement pursuant to the Privacy Act of 1974. 146 

Notices must include in plain language a statement which describes the uses and 
disclosures, and the entity’s policies and procedures with respect to such uses and 
disclosures. The notice must state that other uses and disclosures will be made only 
with the individual's authorization and that such authorization may be revoked; that 
an individual may request that certain uses and disclosures of his or her protected 
health information be restricted, and that the covered entity is not required to agree 
to such a request; that an individual has the right to request inspection and copying, 
amendment or correction, and an accounting of the disclosures of her or his protected 
health information by the covered entity; and that the covered entity is required by law 
to protect the privacy of individually identifiable health information. Individuals may 
complain to the covered entity or to the Secretary if they believe their privacy rights 
have been violated. 



144 See id. § 164.5 10(n). 

145 See, Section 1 178(b) of HIPAA. 

146 5 U.S.C. 552a(e)(3). 
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Access for Inspection and Copying (§ 16.514) 

The proposed rule provides that an individual has a right of access to, which 
includes a right to inspect and obtain a copy of, his or her protected health 
information from a covered entity that is a health plan or a health care provider, 
including non-duplicative information in a business partner's record, for so long as the 
information is maintained. The rule also established various grounds upon which a 
covered entity may deny a request for access. The access procedures must provide 
a means by which an individual can request inspection or a copy of protected health 
information about her or him, and provide for action on such requests not later than 
30 days following receipt of the request. Where the request is accepted, the covered 
entity must notify the individual of the decision and of any steps necessary to fu lf i ll the 
request; provide the information requested in the form or format requested; facilitate 
the process of inspection and copying; and assess a reasonable, cost-based fee for 
copying, if desired. Where the request is denied in whole or in part, the covered 
entity must provide the individual with a written statement in plain language of the 
basis for the denial, and a description of how the individual may complain to the 
covered entity or to the Secretary. 

Accounting of Disclosures (§ 164.15) 

The proposed rule provides that, subject to certain exceptions, an individual has 
a right to receive an accounting of all disclosures of protected health information 
made by a covered entity as long as such information is maintained by the entity. An 
accounting is not required for disclosures for treatment, payment and health care 
operations or for disclosures to health oversight or law enforcement agencies, if the 
health oversight or law enforcement agency has provided a written request stating that 
the exclusion is necessary because disclosure would be reasonably likely to impede the 
agency's activities. 

Amendment and Correction (§ 164.516) 

The proposed rule provides that an individual has the right to request a health 
plan or health care provider to amend or correct protected health information about 
her or him for as long as the covered entity maintains the information. A covered 
entity may deny a request for amendment or correction, if it determines that the 
information that is the subject of the request was not created by the covered entity, 
would not be available for inspection and copying or is accurate and complete. A 
covered entity that is a health plan or health care provider must have procedures to 
enable individuals to request amendment or correction, to determine whether the 
requests should be granted or denied, and to disseminate amendments or corrections 
to its business partners and others to whom erroneous information has been disclosed. 
Where the request is denied in whole or in part, the covered entity must provide the 
individual with a written statement in plain language of the basis for the denial, a 
description of how the individual may file a written statement of disagreement with 
the denial; and a description of how the individual may complain to the covered entity 
or to the Secretary. 
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Costs 

Section 1 172(b) of the HIPAA provides that “(a)ny standard adopted under this 
part (part C of title XI of the Act) shall be consistent with the objective of reducing 
the administrative costs of providing and paying for health care.” 147 In the Regulatory 
Impact and Regulatory Flexibility Analysis accompanying the proposed rule, HHS 
recognized that the proposed privacy standards would entail substantial initial and 
ongoing administrative costs for entities subject to the rules. However, HHS ’ analyses 
also indicate that the rules should produce administrative and other cost savings that 
should offset such costs on a national basis. 

The total cost of development of privacy policies and procedures for providers 
and plans is estimated to be $395 million over five years. With respect to revisions 
to electronic data systems, the additional cost of the privacy element would be about 
$90 million over five years. The development costs for notice of privacy practices is 
estimated at $30 million over five years. The total five year cost of providing notices 
to all provider patients and customers would be approximately $209 million. The 
total cost to plans of providing notices would be $231 million over five years. The 
cost of inspection and copying is estimated to be $405 million over five years. The 
total cost of amending and correcting patient records will be $2 billion over five years. 
Written patient authorizations are estimated to generate costs of approximately $27 1 
million over five years. The estimated total cost of paperwork and training is 
estimated at $1 10 mi ll ion over five years. Overall, the five-year costs, beyond those 
already included in the administrative simplification estimates, would be about $3.8 
billion over five years, with an estimated range of $1.8 to $6.3 billion. 148 

Preemption (§ 160.203) 

The general rule is that any standard, requirement, or implementation 
specification adopted pursuant to subchapter C - Administrative Data Standards and 
Related Requirements - that is contrary 149 to a provision of State law preempts the 
provision of State law. 150 The general rule applies, except where one or more of the 
following conditions is met: 

• A determination is made by the Secretary that the provision of State 
law is necessary 



147 42 U.S.C. § 1320d-l. 

148 64 Fed. Reg. at 60014-60018. 

149 “Contrary, when used to compare a provision of State law to a standard, requirement, or 
implementation specification adopted under this subchapter, means: 

(1) A party would find it impossible to comply with both the State and federal requirements; 
or 

(2) The provision of State law stands as an obstacle to the accomplishment and execution of 
the full purposes and objectives of part C of title XI of the Act or section 264 of P.L. 104- 
191, as applicable.” 64 Fed. Reg. At 60050. 

150 See Standards for Privacy of Individually Identifiable Health Information, 64 Fed. Reg. At 
60051. 
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- to prevent fraud and abuse, to ensure appropriate State regulation of 
insurance and health plans, for State reporting on health care delivery or 
cost, or for other purposes related to improving the Medicare program, the 
Medicaid program, or the efficiency and effectiveness of the health care 
system (§ 160.203(a)(1)); or 

• A determination is made by the Secretary that the provision of State 
law addresses controlled substances (§ 160.203(a)(2); 

• The provision of State law 

- relates to the privacy of health information and is more stringent than a 
standard, requirement, or implementation requirement adopted under 
subpart E (Privacy of Individually Identifiable Health Information) (§ 
160.203(b)); 

- or the State established procedures, are established under a State law 
providing for the reporting of disease or injury, child abuse, birth, or death, 
or for the conduct of public health surveillance, investigation, or 
intervention (§ 160.203(c)); 

- requires a health plan to report, or to provide access to, information for 
the purpose of management audits, financial audits, program monitoring 
and evaluation, facility licensure or certification, or individual licensure 
certification (§ 160.203(d)). 

A State may request that the Secretary except a provision of State law from 
preemption under section 160.203(a). The State’s request to the Secretary must 
include the State law for which the exception is requested, an explanation of how 
health care providers, health plans, and other entities would be affected by the 
exception, of how long the exception would be in effect, and the reasons why the 
State law should not be preempted. The Secretary’s determination is to be made on 
the basis of the extent to which the State has demonstrated that one or more of the 
preemption exceptions criteria has been met. If the federal requirement accomplishes 
the purposes of the preemption exception criteria as well as or better than the State 
law, the request will be denied. An exception granted is effective for three years, and 
has effect only with respect to transactions taking place wholly within the State for 
which the exception was requested. Determinations made by the Secretary will be 
published annually in the Federal Register. 

The Secretary may, either at the State’s request or at her own initiative, issue 
advisory opinions as to whether a provision of State law constitutes an exception 
under section 160.203(b) to the general rule of preemption. The State’s request to 
the Secretary must include the State law for which the exception is requested, the 
particular standard for which exception is requested, an explanation of how health 
care providers, health plans, and other entities would be affected by the exception, of 
how long the exception would be in effect, and the reasons why the State law should 
not be preempted. The Secretary’s determination is to be made on the basis of the 
extent to which the State has demonstrated that the criteria of section 160.203(b) 
have been met. An exception granted has effect only with respect to transactions 
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taking place wholly within the State for which the exception was requested. Advisory 
opinions made by the Secretary will be published annually in the Federal Register. 

Compliance and Enforcement 

The Secretary is authorized to provide technical assistance to covered entities. 
An individual may file a compliant with the Secretary if the individual believes that the 
covered entity is not complying with the rule. Where the complaint relates to the 
alleged failure of a covered entity to amend or correct protected health information, 
the Secretary will determine whether the required procedures have been complied 
with but will not determine whether the information involved is accurate, complete, 
or whether errors or omissions might have occurred. The Secretary may conduct 
compliance reviews, and covered entities are required to cooperate with the Secretary 
in such a review. Covered entities may not intimidate, threaten, coerce, discriminate 
against, or take other retaliatory action against an individual for filing a complaint, for 
testifying, assisting, participating in an investigation, compliance review, proceeding 
or hearing under this Act, or opposing any act or practice made unlawful. If an 
investigation or compliance review, proceeding or hearing indicates a failure to 
comply, the Secretary will resolve the matter by informal means whenever possible. 
If the matter cannot be resolved informally, the Secretary may issue written findings, 
and may use the findings as a basis for initiating action under section 1 176 of the Act 
(civil monetary penalties) 151 or initiating a criminal referral under section 
1177(penalties for disclosing individually identifiable health information). 152 

Effective Date 

A covered entity has 24 months following the effective date of the rule to be in 
compliance, except that small health plans have 36 months to come into compliance. 



151 Section 1 176 of the Act establishes civil monetary penalties for violation of the provisions 
in part C of title XI of the Act, subject to several limitations. Penalties may not be more than 
$ 100 per person per violation and not more than $25,000 per person for violations of a single 
standard for a calendar year. 

152 Section 1177 establishes penalties for any person that knowingly uses a unique health 
identifier, or obtains or discloses individually identifiable health information in violation of 
the part. The penalties include: (1) A fine of not more than $50,000 and/or imprisonment of 
not more than 1 year; (2) if the offense is "under false pretenses," a fine of not more than 
$100,000 and/or imprisonment of not more than 5 years; and (3) if the offense is with intent 
to sell, transfer, or use individually identifiable health information for commercial advantage, 
personal gain, or malicious harm, a fine of not more than $250,000 and/or imprisonment of 
not more than 10 years. These penalties do not affect any other penalties that may be imposed 
by other federal programs. 




